Deployment Guide Citrix ADC VPX on AWS - GSLB

Overview

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications regardless of where they are hosted. It comes in a wide variety of form factors and deployment options without locking users into a single configuration or cloud. Pooled capacity licensing enables the movement of capacity among cloud deployments.

As an undisputed leader of service and application delivery, Citrix ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, Citrix ADC combines high-speed load balancing and content switching, HTTP compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. Citrix ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.

Citrix VPX

The Citrix ADC VPX product is a virtual appliance that can be hosted on a wide variety of virtualization and cloud platforms:

  • Citrix Hypervisor

  • VMware ESX

  • Microsoft Hyper-V

  • Linux KVM

  • Amazon Web Services

  • Microsoft Azure

  • Google Cloud Platform

This deployment guide focuses on Citrix ADC VPX on Amazon Web Services.

Amazon Web Services

Amazon Web Services (AWS) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings. AWS services can offer tools such as compute power, database storage, and content delivery services.

AWS offers the following essential services

  • AWS Compute Services

  • Migration Services

  • Storage

  • Database Services

  • Management Tools

  • Security Services

  • Analytics

  • Networking

  • Messaging

  • Developer Tools

  • Mobile Services

AWS Terminology

Here is a brief description of essential terms used in this document that users must be familiar with:

  • Elastic Network Interface (ENI) - A virtual network interface that users can attach to an instance in a Virtual Private Cloud (VPC).

  • Elastic IP (EIP) address - A static, public IPv4 address that users have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with user accounts, not a specific instance. They are elastic because users can easily allocate, attach, detach, and free them as their needs change.

  • Subnet - A segment of the IP address range of a VPC with which EC2 instances can be attached. Users can create subnets to group instances according to security and operational needs.

  • Virtual Private Cloud (VPC) - A web service for provisioning a logically isolated section of the AWS cloud where users can launch AWS resources in a virtual network that they define.

Here is a brief description of other terms used in this document that users should be familiar with:

  • Amazon Machine Image (AMI) - A machine image, which provides the information required to launch an instance, which is a virtual server in the cloud.

  • Elastic Block Store - Provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.

  • Simple Storage Service (S3) - Storage for the Internet. It is designed to make web-scale computing easier for developers.

  • Elastic Compute Cloud (EC2) - A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

  • Elastic Load Balancing (ELB) - Distributes incoming application traffic across multiple EC2 instances, in multiple Availability Zones. This increases the fault tolerance of user applications.

  • Instance type - Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give users the flexibility to choose the appropriate mix of resources for their applications.

  • Identity and Access Management (IAM) - An AWS identity with permission policies that determine what the identity can and cannot do in AWS. Users can use an IAM role to enable applications running on an EC2 instance to securely access their AWS resources. IAM role is required for deploying VPX instances in a high-availability setup.

  • Internet Gateway - Connects a network to the Internet. Users can route traffic for IP addresses outside their VPC to the Internet gateway.

  • Key pair - A set of security credentials with which users prove their identity electronically. A key pair consists of a private key and a public key.

  • Route table - A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. Users can associate multiple subnets with a single route table, but a subnet can be associated with only one route table at a time.

  • Auto Scaling - A web service to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules, and health checks.

  • CloudFormation - A service for writing or changing templates that create and delete related AWS resources together as a unit.

Use Cases

Compared to alternative solutions that require each service to be deployed as a separate virtual appliance, Citrix ADC on AWS combines L4 load balancing, L7 traffic management, server offload, application acceleration, application security, and other essential application delivery capabilities in a single VPX instance, conveniently available via the AWS Marketplace. Furthermore, everything is governed by a single policy framework and managed with the same, powerful set of tools used to administer on-premises Citrix ADC deployments. The net result is that Citrix ADC on AWS enables several compelling use cases that not only support the immediate needs of today’s enterprises, but also the ongoing evolution from legacy computing infrastructures to enterprise cloud data centers.

Global Server Load Balancing (GSLB)

Global Server Load Balancing (GSLB) is important for many of our customers. Those businesses have an on-prem data center presence serving regional customers, but with increasing demand for their business, they now want to scale and deploy their presence globally across AWS and Azure while maintaining their on-prem presence for regional customers. Customers want to do all of this with automated configurations as well. Thus, they are looking for a solution that can rapidly adapt to either evolving business needs or changes in the global market.

With Citrix ADC on the network administrator’s side, customers can use the Global Load Balancing (GLB) StyleBook to configure applications both on-prem and in the cloud, and that same config can be transferred to the cloud with Citrix ADM. Users can reach either on-prem or cloud resources depending on proximity with GSLB. This allows for a seamless experience no matter where the users are located in the world.

Deployment Types

Three-NIC Deployment

  • Typical Deployments

    • GLB StyleBook

    • With ADM

    • With GSLB (Route53 w/domain registration)

    • Licensing - Pooled/Marketplace

  • Use Cases

    • Three-NIC Deployments are used to achieve real isolation of data and management traffic.

    • Three-NIC Deployments also improve the scale and performance of the ADC.

    • Three-NIC Deployments are used in network applications where throughput is typically 1 Gbps or higher and a Three-NIC Deployment is recommended.

CFT Deployment

Customers would deploy using CloudFormation Templates if they are customizing their deployments or they are automating their deployments.

Deployment Steps

Three-NIC Deployment for GSLB

The Citrix ADC VPX instance is available as an Amazon Machine Image (AMI) in the AWS marketplace, and it can be launched as an Elastic Compute Cloud (EC2) instance within an AWS VPC. The minimum EC2 instance type allowed as a supported AMI on Citrix VPX is m4.large. The Citrix ADC VPX AMI instance requires a minimum of 2 virtual CPUs and 2 GB of memory. An EC2 instance launched within an AWS VPC can also provide the multiple interfaces, multiple IP addresses per interface, and public and private IP addresses needed for VPX configuration. Each VPX instance requires at least three IP subnets:

  • A management subnet

  • A client-facing subnet (VIP)

  • A back-end facing subnet (SNIP)

Citrix recommends three network interfaces for a standard VPX instance on AWS installation.

AWS currently makes multi-IP functionality available only to instances running within an AWS VPC. A VPX instance in a VPC can be used to load balance servers running in EC2 instances. An Amazon VPC allows users to create and control a virtual networking environment, including their own IP address range, subnets, route tables, and network gateways.

Note:

By default, users can create up to 5 VPC instances per AWS region for each AWS account. Users can request higher VPC limits by submitting Amazon’s request form here: Amazon VPC Request.

Licensing

A Citrix ADC VPX instance on AWS requires a license. The following licensing options are available for Citrix ADC VPX instances running on AWS:

Deployment Options

Users can deploy a Citrix ADC VPX standalone instance on AWS by using the following options:

  • AWS web console

  • Citrix-authored CloudFormation template

  • AWS CLI

Three-NIC Deployment Steps

Users can deploy a Citrix ADC VPX instance on AWS through the AWS web console. The deployment process includes the following steps:

  • Create a Key Pair

  • Create a Virtual Private Cloud (VPC)

  • Add more subnets

  • Create security groups and security rules

  • Add route tables

  • Create an internet gateway

  • Create a Citrix ADC VPX instance

  • Create and attach more network interfaces

  • Attach elastic IPs to the management NIC

  • Connect to the VPX instance

Create a Key Pair

Amazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to an instance, users must create a key pair, specify the name of the key pair when they launch the instance, and provide the private key when they connect to the instance.

When users review and launch an instance by using the AWS Launch Instance wizard, they are prompted to use an existing key pair or create a new key pair. For more information about how to create a key pair, see: Amazon EC2 Key Pairs and Linux Instances.

Create a VPC

A Citrix ADC VPC instance is deployed inside an AWS VPC. A VPC allows users to define virtual networks dedicated to their AWS account. For more information about AWS VPC, see: Getting Started With IPv4 for Amazon VPC.

While creating a VPC for a Citrix ADC VPX instance, keep the following points in mind.

  • Use the VPC with a Single Public Subnet Only option to create an AWS VPC in an AWS availability zone.

  • Citrix recommends that users create at least three subnets, of the following types:

    • One subnet for management traffic. Place the management IP (NSIP) on this subnet. By default, elastic network interface (ENI) eth0 is used for the management IP.

    • One or more subnets for client-access (user-to-Citrix ADC VPX) traffic, through which clients connect to one or more virtual IP (VIP) addresses assigned to Citrix ADC load balancing virtual servers.

    • One or more subnets for the server-access (VPX-to-server) traffic, through which user servers connect to VPX-owned subnet IP (SNIP) addresses. For more information about Citrix ADC load balancing and virtual servers, virtual IP addresses (VIPs), and subnet IP addresses (SNIPs).

    • All subnets must be in the same availability zone.

Add Subnets

When the VPC wizard is used for deployment, only one subnet is created. Depending on user requirements, users may want to create more subnets. For more information about how to create more subnets, see: VPCs and Subnets.

Create Security Groups and Security Rules

To control inbound and outbound traffic, create security groups and add rules to the groups. For more information about how to create groups and add rules, see: Security Groups for Your VPC.

For Citrix ADC VPX instances, the EC2 wizard gives default security groups, which are generated by AWS Marketplace and is based on recommended settings by Citrix. However, users can create more security groups based on their requirements.

Note:

Port 22, 80, 443 to be opened on the Security group for SSH, HTTP, and HTTPS access respectively.

Add Route Tables

Route tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table. For more information about how to create a route table, see: Route Tables.

Create an Internet Gateway

An internet gateway serves two purposes: to provide a target in the VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Create an internet gateway for internet traffic. For more information about how to create an Internet Gateway, see the section: Creating and Attaching an Internet Gateway.

Create a Citrix ADC VPX Instance by using the AWS EC2 Service

To create a Citrix ADC VPX instance by using the AWS EC2 service, complete the following steps:

  • From the AWS dashboard, go to Compute > EC2 > Launch Instance > AWS Marketplace.

  • Before clicking Launch Instance, users should ensure their region is correct by checking the note that appears under Launch Instance.

  • In the Search AWS Marketplace bar, search with the keyword Citrix ADC VPX.

  • Select the version the user wants to deploy and then click Select.  For the Citrix ADC VPX version, users have the following options:

    • A licensed version

    • Citrix ADC VPX Express appliance (This is a free virtual appliance, which is available from Citrix ADC version 12.0 56.20.)

    • Bring your own device

The Launch Instance wizard starts. Follow the wizard to create an instance.  The wizard prompts users to:

  • Choose Instance Type

  • Configure Instance

  • Add Storage

  • Add Tags

  • Configure Security Group

  • Review

Create and Attach more Network Interfaces

Create two more network interfaces for the VIP and SNIP. For more information about how to create more network interfaces, see: Creating a Network Interface.

After users have created the network interfaces, they must attach the interfaces to the VPX instance. Before attaching the interfaces, shut down the VPX instance, attach the interfaces, and power on the instance. For more information about how to attach network interfaces, see the section: Attaching a Network Interface When Launching an Instance.

Allocate and Associate Elastic IPs

If users assign a public IP address to an EC2 instance, it remains assigned only until the instance is stopped. After that, the address is released back to the pool. When users restart the instance, a new public IP address is assigned.

In contrast, an elastic IP (EIP) address remains assigned until the address is disassociated from an instance.

Allocate and associate an elastic IP for the management NIC. For more information about how to allocate and associate elastic IP addresses, see these topics:

These steps complete the procedure to create a Citrix ADC VPX instance on AWS. It can take a few minutes for the instance to be ready. Check that the instance has passed its status checks. Users can view this information in the Status Checks column on the Instances page.

Connect to the VPX Instance

After users have created the VPX instance, users can connect to the instance by using the GUI and an SSH client.

  • GUI

The following are the default administrator credentials to access a Citrix ADC VPX instance:

User name: nsroot

Password: The default password for the nsroot account is set to the AWS instance-ID of the Citrix ADC VPX instance.

  • SSH client

From the AWS management console, select the Citrix ADC VPX instance and click Connect. Follow the instructions given on the Connect to Your Instance page.

For more information about how to deploy a Citrix ADC VPX standalone instance on AWS by using the AWS web console, see:

Configure GSLB in two AWS Locations

Setting up GSLB for the Citrix ADC on AWS basically consists of configuring the Citrix ADC to load balance traffic to servers located outside the VPC that the Citrix ADC belongs to, such as within another VPC in a different Availability Region or an on-premises data center.

image-vpx-aws-gslb-deployment-01

Domain-Name Based Services (GSLB DBS) with Cloud Load Balancers

GSLB and DBS Overview

Citrix ADC GSLB support using DBS (Domain Based Services) for Cloud load balancers allows for the automatic discovery of dynamic cloud services using a cloud load balancer solution. This configuration allows the Citrix ADC to implement Global Server Load Balancing Domain-Name Based Services (GSLB DBS) in an Active-Active environment. DBS allows the scaling of back-end resources in AWS environments from DNS discovery.

This section covers integrations between Citrix ADC in AWS AutoScaling environments. The final section of the document details the ability to set up a HA pair of Citrix ADCs that span two different Availability Zones (AZs) specific to an AWS region.

Citrix ADC GSLB Service Group Feature Enhancements

GSLB Service Group entity: Citrix ADC version 12.0.57

GSLB Service Group is introduced which supports autoscale using DBS dynamic discovery.

DBS Feature Components (domain-based service) shall be bound to the GSLB service group.

Example:

`> add server sydney_server LB-Sydney-xxxxxxxxxx.ap-southeast-2.elb.amazonaws.com

add gslb serviceGroup sydney_sg HTTP -autoScale DNS -siteName sydney bind gslb serviceGroup sydney_sg sydney_server 80`

Domain-Name based Services – AWS ELB

GLSB DBS utilizes the FQDN of the user Elastic Load Balancer to dynamically update the GSLB Service Groups to include the back-end servers that are being created and deleted within AWS. The back-end servers or instances in AWS can be configured to scale based on network demand or CPU utilization. To configure this feature, point the Citrix ADC to the Elastic Load Balancer to dynamically route to different servers in AWS without having to manually update the Citrix ADC every time an instance is created and deleted within AWS. The Citrix ADC DBS feature for GSLB Service Groups uses DNS aware service discovery to determine the member service resources of the DBS namespace identified in the AutoScale group.

Diagram:

Citrix ADC GSLB DBS AutoScale components with Cloud Load Balancers:

image-vpx-aws-gslb-deployment-02

Configure AWS Components

Security Groups

Note:

Recommendation should be to create different security groups for ELB, Citrix ADC GSLB Instance, and Linux instance, as the set of rules required for each of these entities is different. This example has a consolidated Security Group configuration for brevity.

To ensure the proper configuration of the virtual firewall, see: Security Groups for Your VPC.

Step 1:

Log in to the user AWS resource group and navigate to EC2 > NETWORK & SECURITY > Security Groups.

image-vpx-aws-gslb-deployment-03

Step 2:

Click Create Security Group and provide a name and description. This security group encompasses the Citrix ADC and Linux back-end web servers.

image-vpx-aws-gslb-deployment-04

Step 3:

Add the inbound port rules from the following screenshot.

Note:

Limiting Source IP access is recommended for granular hardening. For more information, see: Web Server Rules.

image-vpx-aws-gslb-deployment-05

Amazon Linux Back-end Web Services

Step 4:

Log in to the user AWS resource group and navigate to EC2 > Instances.

image-vpx-aws-gslb-deployment-06

Step 5: Click Launch Instance using the details that follow to configure the Amazon Linux instance.

Fill in details about setting up a Web Server or back-end service on this instance.

image-vpx-aws-gslb-deployment-07

Citrix ADC Configuration

Step 6:

Log in to the user AWS resource group and navigate to EC2 > Instances.

image-vpx-aws-gslb-deployment-08

Step 7:

Click Launch Instance and use the following details to configure the Amazon AMI instance.

image-vpx-aws-gslb-deployment-09

Elastic IP Configuration

Note:

Citrix ADC can also be made to run with a single elastic IP if necessary to reduce cost, by not having a public IP for the NSIP. Instead, attach an elastic IP to the SNIP which can cover for management access to the box, in addition to the GSLB site IP and ADNS IP.

Step 8:

Log in to the user AWS resource group and navigate to EC2 > NETWORK & SECURITY > Elastic IPs.

Click Allocate new address to create a Elastic IP address.

Configure the Elastic IP to point to the user running the Citrix ADC instance within AWS.

Configure a second Elastic IP and again point it to the user running the Citrix ADC instance.

image-vpx-aws-gslb-deployment-10

Elastic Load Balancer

Step 9:

Log in to the user AWS resource group and navigate to EC2 > LOAD BALANCING > Load Balancers.

image-vpx-aws-gslb-deployment-11

Step 10:

Click Create Load Balancer to configure a classic load balancer.

The user Elastic Load Balancers allow users to load balance their back-end Amazon Linux instances while also being able to Load Balance other instances that are spun up based on demand.

image-vpx-aws-gslb-deployment-12

Configuring Global Server Load Balancing Domain-Name Based Services

Traffic Management Configurations

Note:

It is required to configure the Citrix ADC with either a nameserver or a DNS virtual server through which the ELB/ALB Domains will be resolved for the DBS Service Groups. For more information, see: DNS nameServer.

Step 1:

Navigate to Traffic Management > Load Balancing > Servers.

image-vpx-aws-gslb-deployment-13

Step 2:

Click Add to create a server, provide a name and FQDN corresponding to the A record (domain name) in AWS for the Elastic Load Balancer (ELB).

Repeat step 2 to add the second ELB from the second resource location in AWS.

image-vpx-aws-gslb-deployment-14

GSLB Configuration

Step 1:

Navigate to Traffic Management > GSLB > Sites.

image-vpx-aws-gslb-deployment-15

Step 2:

Click the Add button to configure a GSLB Site.

Name the Site. The Type is configured as Remote or Local based on which Citrix ADC users are configuring the site on. The Site IP Address is the IP address for the GSLB site. The GSLB site uses this IP address to communicate with the other GSLB sites. The Public IP address is required when using a cloud service where a particular IP is hosted on an external firewall or NAT device. The site should be configured as a Parent Site. Ensure the Trigger Monitors are set to ALWAYS and be sure to check off the three boxes at the bottom for Metric Exchange, Network Metric Exchange, and Persistence Session Entry Exchange.

image-vpx-aws-gslb-deployment-16

Citrix recommends setting the Trigger monitor setting to MEPDOWN. For more information, see: Configure a GSLB Service Group.

Step 3:

The following screenshot from the AWS configurations shows where users can find the Site IP Address and Public IP Address. The IPs are found under Network & Security > Elastic IPs.

Click Create, repeat steps 2 and 3 to configure the GSLB site for the other resource location in AWS (this can be configured on the same Citrix ADC).

image-vpx-aws-gslb-deployment-17

Step 4:

Navigate to Traffic Management > GSLB > Service Groups.

image-vpx-aws-gslb-deployment-18

Step 5:

Click Add to add a service group. Name the Service Group, use the HTTP protocol, and then under Site Name, choose the respective site that was created in the previous steps. Be sure to configure AutoScale Mode as DNS and check off the boxes for State and Health Monitoring.

Click OK to create the Service Group.

image-vpx-aws-gslb-deployment-19

Step 6:

Click Service Group Members and select Server Based. Select the respective Elastic Load Balancing Server that was configured in the start of the run guide. Configure the traffic to go over port 80.

Click Create.

image-vpx-aws-gslb-deployment-20

Step 7:

The Service group Member Binding should populate with two instances that it is receiving from the Elastic Load Balancer.

Repeat steps to configure the Service Group for the second resource location in AWS. (This can be done from the same location).

image-vpx-aws-gslb-deployment-21

Step 8:

Navigate to Traffic Management > GSLB > Virtual Servers.

Click Add to create the virtual server. Name the server, DNS Record Type is set as A, Service Type is set as HTTP, and check the boxes for Enable after Creating and AppFlow Logging. Click OK to create the GSLB Virtual Server. (Citrix ADC GUI)

image-vpx-aws-gslb-deployment-22

Step 9:

When the GSLB Virtual Server is created, click No GSLB Virtual Server ServiceGroup Binding.

Click Add to create the virtual server. Name the server, DNS Record Type is set as A, Service Type is set as HTTP, and check the boxes for Enable after Creating and AppFlow Logging. Click OK to create the GSLB Virtual Server. (Citrix ADC GUI)

image-vpx-aws-gslb-deployment-23

Step 10:

Under “ServiceGroup Binding” use Select Service Group Name to select and add the Service Groups that were created in the previous steps.

image-vpx-aws-gslb-deployment-24

Step 11:

Next configure the GSLB Virtual Server Domain Binding by clicking No GSLB Virtual Server Domain Binding. Configure the FQDN and Bind, the rest of the settings can be left as the defaults.

image-vpx-aws-gslb-deployment-25

Step 12:

Configure the ADNS Service by clicking No Service. Add a Service Name, click New Server, and enter the IP Address of the ADNS server.

Also, if the user ADNS is already configured users can select Existing Server and then choose their ADNS from the menu. Make sure the Protocol is ADNS and the traffic is over Port 53.

Configure the Method as LEASTCONNECTION and Backup Method as ROUNDROBIN.

image-vpx-aws-gslb-deployment-26

Citrix ADC Global Load Balancing for Hybrid and Multi-Cloud Deployments

The Citrix ADC hybrid and multi-cloud global load balancing (GLB) solution enables users to distribute application traffic across multiple data centers in hybrid clouds, multiple clouds, and on-premises deployments. The Citrix ADC hybrid and multi-cloud GLB solution helps users to manage their load balancing setup in hybrid or multi-cloud environments without altering the existing setup. Also, if users have an on-premises setup, they can test some of their services in the cloud by using the Citrix ADC hybrid and multi-cloud GLB solution before completely migrating to the cloud. For example, users can route only a small percentage of their traffic to the cloud, and handle most of the traffic on-premises. The Citrix ADC hybrid and multi-cloud GLB solution also enables users to manage and monitor Citrix ADC instances across geographic locations from a single, unified console.

A hybrid and multi-cloud architecture can also improve overall enterprise performance by avoiding “vendor lock-in” and using different infrastructure to meet the needs of user partners and customers. With multiple cloud architecture, users can manage their infrastructure costs better as they now have to pay only for what they use. Users can also scale their applications better as they now use the infrastructure on demand. It also provides the ability to quickly switch from one cloud to another to take advantage of the best offerings of each provider.

Architecture of the Citrix ADC Hybrid and Multi-Cloud GLB Solution

The following diagram illustrates the architecture of Citrix ADC hybrid and multi-cloud GLB feature.

image-vpx-aws-gslb-deployment-27

The Citrix ADC GLB nodes handle the DNS name resolution. Any of these GLB nodes can receive DNS requests from any client location. The GLB node that receives the DNS request returns the load balancer virtual server IP address as selected by the configured load balancing method. Metrics (site, network, and persistence metrics) are exchanged between the GLB nodes using the metrics exchange protocol (MEP), which is a proprietary Citrix protocol. For more information on the MEP protocol, see: Configure Metrics Exchange Protocol.

The monitor configured in the GLB node monitors the health status of the load balancing virtual server in the same data center. In a parent-child topology, metrics between the GLB and Citrix ADC nodes are exchanged by using MEP. However, configuring monitor probes between a GLB and Citrix ADC LB node is optional in a parent-child topology.

The Citrix Application Delivery Management (ADM) service agent enables communication between the Citrix ADM and the managed instances in the user data center. For more information on Citrix ADM service agents and how to install them, see: Getting Started.

Note:

This document makes the following assumptions:

  • If users have an existing load balancing setup, it is up and running.

  • A SNIP address or a GLB site IP address is configured on each of the Citrix ADC GLB nodes. This IP address is used as the data center source IP address when exchanging metrics with other data centers.

  • An ADNS or ADNS-TCP service is configured on each of the Citrix ADC GLB instances to receive the DNS traffic.

  • The required firewall and security groups are configured in the cloud service providers.

Security Groups Configuration

Users must set up the required firewall/security groups configuration in the cloud service providers. For more information about AWS security features, see: AWS/Documentation/Amazon VPC/User Guide/Security.

Also, on the GLB node, users must open port 53 for ADNS service/DNS server IP address and port 3009 for GSLB site IP address for MEP traffic exchange. On the load balancing node, users must open the appropriate ports to receive the application traffic. For example, users must open port 80 for receiving HTTP traffic and open port 443 for receiving HTTPS traffic. Open port 443 for NITRO communication between the Citrix ADM service agent and Citrix ADM.

For the dynamic round trip time GLB method, users must open port 53 to allow UDP and TCP probes depending on the configured LDNS probe type. The UDP or the TCP probes are initiated using one of the SNIPs and therefore this setting must be done for security groups bound to the server-side subnet.

Capabilities of the Citrix ADC Hybrid and Multi-Cloud GLB Solution

Some of the capabilities of the Citrix ADC hybrid and multi-cloud GLB solution are described in this section.

Compatibility with other Load Balancing Solutions

The Citrix ADC hybrid and multi-cloud GLB solution supports various load balancing solutions such as the Citrix ADC load balancer, NGINX, HAProxy, and other third-party load balancers.

Note:

Load balancing solutions other than Citrix ADC are supported only if proximity-based and non-metric based GLB methods are used and if parent-child topology is not configured.

GLB Methods

The Citrix ADC hybrid and multi-cloud GLB solution supports the following GLB methods.

  • Metric-based GLB methods. Metric-based GLB methods collect metrics from the other Citrix ADC nodes through the metrics exchange protocol.

    • Least Connection: The client request is routed to the load balancer that has the fewest active connections.

    • Least Bandwidth: The client request is routed to the load balancer that is currently serving the least amount of traffic.

    • Least Packets: The client request is routed to the load balancer that has received the fewest packets in the last 14 seconds.

  • Non-metric based GLB methods

    • Round Robin: The client request is routed to the IP address of the load balancer that is at the top of the list of load balancers. That load balancer then moves to the bottom of the list.

    • Source IP Hash: This method uses the hashed value of the client IP address to select a load balancer.

  • Proximity-based GLB methods

    • Static Proximity: The client request is routed to the load balancer that is closest to the client IP address.

    • Round-Trip Time (RTT): This method uses the RTT value (the time delay in the connection between the client’s local DNS server and the data center) to select the IP address of the best performing load balancer.

For more information on the load balancing methods, see: Load Balancing Algorithms.

GLB Topologies

The Citrix ADC hybrid and multi-cloud GLB solution supports the active-passive topology and parent-child topology.

  • Active-passive topology - Provides disaster recovery and ensures continuous availability of applications by protecting against points of failure. If the primary data center goes down, the passive data center becomes operational. For more information about GSLB active-passive topology, see: Configure GSLB for Disaster Recovery.

  • Parent-child topology – Can be used if customers are using the metric-based GLB methods to configure GLB and LB nodes and if the LB nodes are deployed on a different Citrix ADC instance. In a parent-child topology, the LB node (child site) must be a Citrix ADC appliance because the exchange of metrics between the parent and child site is through the metrics exchange protocol (MEP).

For more information about parent-child topology, see: Parent-Child Topology Deployment using the MEP Protocol.

IPv6 Support

The Citrix ADC hybrid and multi-cloud GLB solution also supports IPv6.

Monitoring

The Citrix ADC hybrid and multi-cloud GLB solution supports built-in monitors with an option to enable the secure connection. However, if LB and GLB configurations are on the same Citrix ADC instance or if parent-child topology is used, configuring monitors is optional.

Persistence

The Citrix ADC hybrid and multi-cloud GLB solution supports the following:

  • Source IP based persistence sessions, so that multiple requests from the same client are directed to the same service if they arrive within the configured time-out window. If the time-out value expires before the client sends another request, the session is discarded, and the configured load balancing algorithm is used to select a new server for the client’s next request.

  • Spillover persistence so that the backup virtual server continues to process the requests it receives, even after the load on the primary falls below the threshold. For more information, see: Configure Spillover.

  • Site persistence so that the GLB node selects a data center to process a client request and forwards the IP address of the selected data center for all subsequent DNS requests. If the configured persistence applies to a site that is DOWN, the GLB node uses a GLB method to select a new site, and the new site becomes persistent for subsequent requests from the client.

Configuration by using Citrix ADM StyleBooks

Customers can use the default Multi-cloud GLB StyleBook on Citrix ADM to configure the Citrix ADC instances with hybrid and multi-cloud GLB configurations.

Customers can use the default Multi-cloud GLB StyleBook for the LB Node StyleBook to configure the Citrix ADC load balancing nodes which are the child sites in a parent-child topology that handle the application traffic. Use this StyleBook only if users want to configure LB nodes in a parent-child topology. However, each LB node must be configured separately using this StyleBook.

Workflow of the Citrix ADC Hybrid and Multi-Cloud GLB Solution Configuration

Customers can use the shipped Multi-cloud GLB StyleBook on Citrix ADM to configure the Citrix ADC instances with hybrid and multi-cloud GLB configurations.

The following diagram shows the workflow for configuring a Citrix ADC hybrid and multi-cloud GLB solution. The steps in the workflow diagram are explained in more detail after the diagram.

image-vpx-aws-gslb-deployment-28

Perform the following tasks as a cloud administrator:

  1. Sign up for a Citrix Cloud account.

    To start using Citrix ADM, create a Citrix Cloud company account or join an existing one that has been created by someone in your company.

  2. After users log on to Citrix Cloud, click Manage on the Citrix Application Delivery Management tile to set up the ADM service for the first time.

  3. Download and install multiple Citrix ADM service agents.

    Users must install and configure the Citrix ADM service agent in their network environment to enable communication between the Citrix ADM and the managed instances in their data center or cloud. Install an agent in each region, so that they can configure LB and GLB configurations on the managed instances. The LB and GLB configurations can share a single agent. For more information on the above three tasks, see: Getting Started.

  4. Deploy load balancers on Microsoft Azure/AWS cloud/on-premises data centers.

    Depending on the type of load balancers that users are deploying on cloud and on-premises, provision them accordingly. For example, users can provision Citrix ADC VPX instances in a Microsoft Azure Resource Manager (ARM) portal, in an Amazon Web Services (AWS) virtual private cloud and in on-premises data centers. Configure Citrix ADC instances to function as LB or GLB nodes in standalone mode, by creating the virtual machines and configuring other resources. For more information on how to deploy Citrix ADC VPX instances, see the following documents:

  5. Perform security configurations.

    Configure network security groups and network ACLs in ARM and in AWS to control inbound and outbound traffic for user instances and subnets.

  6. Add Citrix ADC instances in Citrix ADM.

    Citrix ADC instances are network appliances or virtual appliances that users want to discover, manage, and monitor from Citrix ADM. To manage and monitor these instances, users must add the instances to the service and register both LB (if users are using Citrix ADC for LB) and GLB instances. For more information on how to add Citrix ADC instances in the Citrix ADM, see: Getting Started

  7. Implement the GLB and LB configurations using default Citrix ADM StyleBooks.

    • Use Multi-cloud GLB StyleBook to execute the GLB configuration on the selected GLB Citrix ADC instances.

    • Implement the load balancing configuration. (Users can skip this step if they already have LB configurations on the managed instances.) Users can configure load balancers on Citrix ADC instances in one of two ways:

    • Manually configure the instances for load balancing the applications. For more information on how to manually configure the instances, see: Set up Basic Load Balancing.

    • Use StyleBooks. Users can use one of the Citrix ADM StyleBooks (HTTP/SSL Load Balancing StyleBook or HTTP/SSL Load Balancing (with Monitors) StyleBook) to create the load balancer configuration on the selected Citrix ADC instance. Users can also create their own StyleBooks. For more information on StyleBooks, see: StyleBooks.

  8. Use Multi-cloud GLB StyleBook for LB Node to configure GLB parent-child topology in any of the following cases:

    • If users are using the metric-based GLB algorithms (Least Packets, Least Connections, Least Bandwidth) to configure GLB and LB nodes and if the LB nodes are deployed on a different Citrix ADC instance.

    • If site persistence is required.

Using StyleBooks to Configure GLB on Citrix ADC LB Nodes

Customers can use the Multi-cloud GLB StyleBook for LB Node if they are using the metric-based GLB algorithms (Least Packets, Least Connections, Least Bandwidth) to configure GLB and LB nodes and if the LB nodes are deployed on a different Citrix ADC instance.

Users can also use this StyleBook to configure more child sites for an existing parent site. This StyleBook configures one child site at a time. So, create as many configurations (config packs) from this StyleBook as there are child sites. The StyleBook applies the GLB configuration on the child sites. Users can configure a maximum of 1024 child sites.

Note:

Use Multi-cloud GLB StyleBook to configure the parent sites.

This StyleBook makes the following assumptions:

  • A SNIP address or a GLB site IP address is configured.

  • The required firewall and security groups are configured in the cloud service providers.

Configuring a Child Site in a Parent-Child Topology by using Multi-Cloud GLB StyleBook for LB Node

  1. Navigate to Applications > Configuration > Create New.

  2. Navigate to Applications > Configuration, and click Create New.

    The StyleBook appears as a user interface page on which users can enter the values for all the parameters defined in this StyleBook.

Note:

The terms data center and sites are used interchangeably in this document.

  1. Set the following parameters:

    • Application Name. Enter the name of the GLB application deployed on the GLB sites for which you want to create child sites.

    • Protocol. Select the application protocol of the deployed application from the drop-down list box.

    • LB Health Check (Optional)

    • Health Check Type. From the drop-down list box, select the type of probe used for checking the health of the load balancer VIP address that represents the application on a site.

    • Secure Mode. (Optional) Select Yes to enable this parameter if SSL based health checks are required.

    • HTTP Request. (Optional) If users selected HTTP as the health-check type, enter the full HTTP request used to probe the VIP address.

    • List of HTTP Status Response Codes. (Optional) If users selected HTTP as the health check type, enter the list of HTTP status codes expected in responses to HTTP requests when the VIP is healthy.

  2. Configuring parent site.

    • Provide the details of the parent site (GLB node) under which you want to create the child site (LB node).

      • Site Name. Enter the name of the parent site.

      • Site IP Address. Enter the IP address that the parent site uses as its source IP address when exchanging metrics with other sites. This IP address is assumed to be already configured on the GLB node in each site.

      • Site Public IP Address. (Optional) Enter the Public IP address of the parent site that is used to exchange metrics, if that site’s IP address is NAT’ed.

  3. Configuring child site.

    • Provide the details of the child site.

      • Site name. Enter the name of the site.

      • Site IP Address. Enter the IP address of the child site. Here, use the private IP address or SNIP of the Citrix ADC node that is being configured as a child site.

      • Site Public IP Address. (Optional) Enter the Public IP address of the child site that is used to exchange metrics, if that site’s IP address is NAT’ed.

  4. Configuring active GLB services (optional)

    • Configure active GLB services only if the LB virtual server IP address is not a public IP address. This section allows users to configure the list of local GLB services on the sites where the application is deployed.

      • Service IP. Enter the IP address of the load balancing virtual server on this site.

      • Service Public IP Address. If the virtual IP address is private and has a public IP address NAT’ed to it, specify the public IP address.

      • Service Port. Enter the port of the GLB service on this site.

      • Site Name. Enter the name of the site on which the GLB service is located.

  5. Click Target Instances and select the Citrix ADC instances configured as GLB instances on each site on which to deploy the GLB configuration.

  6. Click Create to create the LB configuration on the selected Citrix ADC instance (LB node). Users can also click Dry Run to check the objects that would be created in the target instances. The StyleBook configuration that users have created appears in the list of configurations on the Configurations page. Users can examine, update, or remove this configuration by using the Citrix ADM GUI.

CloudFormation Template Deployment

Citrix ADC VPX is available as Amazon Machine Images (AMI) in the AWS Marketplace. Before using a CloudFormation template to provision a Citrix ADC VPX in AWS, the AWS user has to accept the terms and subscribe to the AWS Marketplace product. Each edition of the Citrix ADC VPX in the Marketplace requires this step.

Each template in the CloudFormation repository has collocated documentation describing the usage and architecture of the template. The templates attempt to codify recommended deployment architecture of the Citrix ADC VPX, or to introduce the user to the Citrix ADC or to demonstrate a particular feature, edition, or option. Users can reuse, modify, or enhance the templates to suit their particular production and testing needs. Most templates require full EC2 permissions in addition to permissions to create IAM roles.

The CloudFormation templates contain AMI Ids that are specific to a particular release of the Citrix ADC VPX (for example, release 12.0-56.20) and edition (for example, Citrix ADC VPX Platinum Edition - 10 Mbps) OR Citrix ADC BYOL. To use a different version / edition of the Citrix ADC VPX with a CloudFormation template requires the user to edit the template and replace the AMI IDs.

The latest Citrix ADC AWS-AMI-IDs are located here: Citrix ADC AWS CloudFormation Master.

CFT Three-NIC Deployment

This template deploys a VPC, with 3 subnets (Management, client, server) for 2 Availability Zones. It deploys an Internet Gateway, with a default route on the public subnets. This template also creates a HA pair across Availability Zones with two instances of Citrix ADC: 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on primary and 3 ENIs associated to 3 VPC subnets (Management, Client, Server) on secondary. All the resource names created by this CFT are prefixed with a tagName of the stack name.

The output of the CloudFormation template includes:

  • PrimaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Primary VPX (uses self-signed cert)

  • PrimaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Primary VPX

  • PrimaryCitrixADCInstanceID - Instance Id of the newly created Primary VPX instance

  • PrimaryCitrixADCPublicVIP - Elastic IP address of the Primary VPX instance associated with the VIP

  • PrimaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Primary VPX

  • PrimaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Primary VPX

  • PrimaryCitrixADCPrivateVIP - Private IP address of the Primary VPX instance associated with the VIP

  • PrimaryCitrixADCSNIP - Private IP address of the Primary VPX instance associated with the SNIP

  • SecondaryCitrixADCManagementURL - HTTPS URL to the Management GUI of the Secondary VPX (uses self-signed cert)

  • SecondaryCitrixADCManagementURL2 - HTTP URL to the Management GUI of the Secondary VPX

  • SecondaryCitrixADCInstanceID - Instance Id of the newly created Secondary VPX instance

  • SecondaryCitrixADCPrivateNSIP - Private IP (NS IP) used for management of the Secondary VPX

  • SecondaryCitrixADCPublicNSIP - Public IP (NS IP) used for management of the Secondary VPX

  • SecondaryCitrixADCPrivateVIP - Private IP address of the Secondary VPX instance associated with the VIP

  • SecondaryCitrixADCSNIP - Private IP address of the Secondary VPX instance associated with the SNIP

  • SecurityGroup - Security group id that the VPX belongs to

When providing input to the CFT, the * against any parameter in the CFT implies that it is a mandatory field. For example, VPC ID* is a mandatory field.

The following prerequisites must be met. The CloudFormation template requires sufficient permissions to create IAM roles, beyond normal EC2 full privileges. The user of this template also needs to accept the terms and subscribe to the AWS Marketplace product before using this CloudFormation template.

The following should also be present:

  • Key Pair

  • 3 unallocated EIPs

  • Primary Management

  • Client VIP

  • Secondary Management

For more information on provisioning Citrix ADC VPX instances on AWS, users can visit: Provisioning Citrix ADC VPX Instances on AWS.

For information on how to configure GLB using stylebooks visit Using StyleBooks to Configure GLB

Prerequisites

Before attempting to create a VPX instance in AWS, users should ensure they have the following:

  • An AWS account to launch a Citrix ADC VPX AMI in an Amazon Web Services (AWS) Virtual Private Cloud (VPC). Users can create an AWS account for free at www.aws.amazon.com.

  • An AWS Identity and Access Management (IAM) user account to securely control access to AWS services and resources for users. For more information about how to create an IAM user account, see the topic: Creating IAM Users (Console).

An IAM role is mandatory for both standalone and high availability deployments. The IAM role must have the following privileges:

  • ec2:DescribeInstances

  • ec2:DescribeNetworkInterfaces

  • ec2:DetachNetworkInterface

  • ec2:AttachNetworkInterface

  • ec2:StartInstances

  • ec2:StopInstances

  • ec2:RebootInstances

  • ec2:DescribeAddresses

  • ec2:AssociateAddress

  • ec2:DisassociateAddress

  • autoscaling:*

  • sns:*

  • sqs:*

  • iam:SimulatePrincipalPolicy

  • iam:GetRole

If the Citrix CloudFormation template is used, the IAM role is automatically created. The template does not allow selecting an already created IAM role.

Note:

When users log on the VPX instance through the GUI, a prompt to configure the required privileges for IAM role appears. Ignore the prompt if the privileges have already been configured.

  • AWS CLI is required to use all the functionality provided by the AWS Management Console from the terminal program. For more information, see: What Is the AWS Command Line Interface?. Users also need the AWS CLI to change the network interface type to SR-IOV.

GSLB Prerequisites

The prerequisites for the Citrix ADC GSLB Service Groups include a functioning AWS / Microsoft Azure environment with the knowledge and ability to configure Security Groups, Linux Web Servers, Citrix ADCs within AWS, Elastic IPs, and Elastic Load Balancers.

GSLB DBS Service integration requires Citrix ADC version 12.0.57 for AWS ELB and Microsoft Azure ALB load balancer instances.

Limitations and Usage Guidelines

The following limitations and usage guidelines apply when deploying a Citrix ADC VPX instance on AWS:

  • Users should be familiar with the AWS terminology listed previously before starting a new deployment.

  • The clustering feature is supported only when provisioned with Citrix ADM Auto Scale Groups.

  • For the high availability setup to work effectively, associate a dedicated NAT device to the management Interface or associate an Elastic IP (EIP) to NSIP. For more information on NAT, in the AWS documentation, see: NAT Instances.

  • Data traffic and management traffic must be segregated with ENIs belonging to different subnets.

  • Only the NSIP address must be present on the management ENI.

  • If a NAT instance is used for security instead of assigning an EIP to the NSIP, appropriate VPC level routing changes are required. For instructions on making VPC level routing changes, in the AWS documentation, see: Scenario 2: VPC with Public and Private Subnets.

  • A VPX instance can be moved from one EC2 instance type to another (for example, from m3.large to an m3.xlarge). For more information, visit: Limitations and Usage Guidelines.

  • For storage media for VPX on AWS, Citrix recommends EBS, because it is durable and the data is available even after it is detached from instance.

  • Dynamic addition of ENIs to VPX is not supported. Restart the VPX instance to apply the update. Citrix recommends users to stop the standalone or HA instance, attach the new ENI, and then restart the instance. The primary ENI cannot be changed or attached to a different subnet once it is deployed. Secondary ENIs can be detached and changed as needed while the VPX is stopped.

  • Users can assign multiple IP addresses to an ENI. The maximum number of IP addresses per ENI is determined by the EC2 instance type, see the section “IP Addresses Per Network Interface Per Instance Type” in: Elastic Network Interfaces. Users must allocate the IP addresses in AWS before they assign them to ENIs. For more information, see: Elastic Network Interfaces.

  • Citrix recommends that users avoid using the enable and disable interface commands on Citrix ADC VPX interfaces.

  • The Citrix ADC set ha node \<NODE\_ID\> -haStatus STAYPRIMARY and set ha node \<NODE\_ID\> -haStatus STAYSECONDARY commands are disabled by default.

  • IPv6 is not supported for VPX.

  • Due to AWS limitations, these features are not supported:

    • Gratuitous ARP(GARP)

    • L2 mode (bridging). Transparent virtual server are supported with L2 (MAC rewrite) for servers in the same subnet as the SNIP.

    • Tagged VLAN

    • Dynamic Routing

    • Virtual MAC

  • For RNAT, routing, and Transparent virtual server to work, ensure Source/Destination Check is disabled for all ENIs in the data path. For more information, see “Changing the Source/Destination Checking” in: Elastic Network Interfaces.

  • In a Citrix ADC VPX deployment on AWS, in some AWS regions, the AWS infrastructure might not be able to resolve AWS API calls. This happens if the API calls are issued through a non-management interface on the Citrix ADC VPX instance. As a workaround, restrict the API calls to the management interface only. To do that, create an NSVLAN on the VPX instance and bind the management interface to the NSVLAN by using the appropriate command.

  • For example:

    • set ns config -nsvlan <vlan id>\ -ifnum 1/1 -tagged NO

    • save config

  • Restart the VPX instance at the prompt.

  • For more information about configuring nsvlan, see: Configuring NSVLAN.

  • In the AWS console, the vCPU usage shown for a VPX instance under the Monitoring tab might be high (up to 100 percent), even when the actual usage is much lower. To see the actual vCPU usage, navigate to View all CloudWatch metrics. For more information, see: Monitor your Instances using Amazon CloudWatch. Alternately, if low latency and performance are not a concern, users may enable the CPU Yield feature allowing the packet engines to idle when there is no traffic. For more details about the CPU Yield feature and how to enable it, visit: Citrix Support Knowledge Center.

AWS-VPX Support Matrix

The following tables list the supported VPX model and AWS regions, instance types, and services.

Supported VPX Models on AWS

Supported VPX Model:

  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 200 Mbps

  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 1000 Mbps

  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 3 Gbps

  • Citrix ADC VPX Standard/Enterprise/Platinum Edition - 5 Gbps

  • Citrix ADC VPX Standard/Advanced/Premium - 10 Mbps

  • Citrix ADC VPX Express - 20 Mbps

  • Citrix ADC VPX - Customer Licensed

Supported AWS Regions

Supported AWS Regions:

  • US West (Oregon) Region

  • US West (N. California) Region

  • US East (Ohio) Region
  • US East (N. Virginia) Region

  • Asia Pacific (Seoul) Region

  • Canada (Central) Region

  • Asia Pacific (Singapore) Region

  • Asia Pacific (Sydney) Region

  • Asia Pacific (Tokyo) Region

  • Asia Pacific (Hong Kong) Region

  • Canada (Central) Region

  • China (Beijing) Region

  • China (Ningxia) Region

  • EU (Frankfurt) Region

  • EU (Ireland) Region

  • EU (London) Region

  • EU (Paris) Region

  • South America (São Paulo) Region

  • AWS GovCloud (US-East) Region

Supported AWS Instance Types

Supported AWS Instance Types:

  • m3.large, m3.large, m3.2xlarge

  • c4.large, c4.large, c4.2xlarge, c4.4xlarge, c4.8xlarge

  • m4.large, m4.large, m4.2xlarge, m4.4xlarge, m4.10xlarge

  • m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.12xlarge, m5.24xlarge

  • c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge, c5.24xlarge

  • C5n.large, C5n.xlarge, C5n.2xlarge, C5n.4xlarge, C5n.9xlarge, C5n.18xlarge

Supported AWS Services

Supported AWS Services:

  • #EC2

  • #Lambda

  • #S3

  • #VPC

  • #route53

  • #ELB

  • #Cloudwatch

  • #AWS AutoScaling

  • #Cloud formation

  • Simple Queue Service (SQS)

  • Simple Notification Service (SNS)

  • Identity & Access Management (IAM)

For higher bandwidth, Citrix recommends the following instance types

Instance Type Bandwidth Enhanced Networking (SR-IOV)
M4.10x large 3 Gbps and 5 Gbps Yes
C4.8x large 3 Gbps and 5 Gbps Yes
C5.18xlarge/M5.18xlarge 25 Gbps ENA
C5n.18xlarge 30 Gbps ENA

To remain updated about the current supported VPX models and AWS regions, instance types, and services, visit: VPX-AWS support matrix.